Primary supervisor
Mengmeng GeOrganisations continuously face cyberattacks that unfold over multiple stages, often generating vast volumes of intrusion alerts. While modern intrusion detection systems can flag suspicious activities, they typically produce fragmented and low-level alerts that make it difficult for security analysts to understand the overall attack progression and attacker strategies. Manual analysis of these alerts is time-consuming and does not scale to fast-evolving network environments.
Attack graphs are widely used to model how attackers can potentially progress through systems by exploiting vulnerabilities. Traditional attack graph construction relies heavily on prior knowledge including network topology and vulnerability information. This limits their applicability in real-world settings where zero-day exploits exist and complete system knowledge is unavailable.
Recent research has demonstrated that attack graphs can be automatically generated from intrusion alerts, without relying on explicit vulnerability information. These approaches reconstruct attack paths, reveal attacker strategies, and reduce analyst workload. Complementary work has also explored how alert mining can be used along with attack graphs to reconstruct complete attack scenarios.
Aim/outline
This project aims to explore the use of intrusion alerts and attack graphs for automated cyberattack analysis. The key objectives are to study existing approaches that combine intrusion alerts and attack graphs and to design and implement a method that transforms raw intrusion alerts into attack graphs to support effective attack analysis.
Required knowledge
- Strong Python programming skills.
- Have some interest and basic knowledge in cybersecurity.
- Familiarity with basic concepts such as vulnerability and intrusion detection.